Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] Software vulnerabilities

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] Software vulnerabilities


Chronological Thread 
    < Chronological >      < Thread >
  • From: Darryl K Wohlt <>
  • To: "" <>
  • Subject: [perfsonar-user] Software vulnerabilities
  • Date: Tue, 28 Feb 2023 15:05:59 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fnal.gov; dmarc=pass action=none header.from=fnal.gov; dkim=pass header.d=fnal.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yFU4xI1OROIVEAw6zvrbkbgz2GlgCIeaFp/IhBKwO+U=; b=do35leQSyUDxhhpafBej7rOFN+jr4/2GKuTi5RXgTy2K2s+71LcmygLT6kXrke8YOAYyC9lrU+Npt1gkrpK55hi7rsekyd3gaq2sPbq+PcML+NFfkmax7RXyHrKdqBOoV1USljZ/WZjay6NzR5CPRe02WiM89OIKDV09r1ImMj14E3en37ljfjkApdbRgjXiTzS+EE3WyTCJUIcS4q4LntEj3h4gefAAz7FRZaTcmWjpDT4ITtbErp4zvSGZUJgF0Oz1DggpI4hdgyCYyS2gW45Zlv29r1NoKdABlUC9wjTHJHm1vZydS7b9kDC5jZ8XhKIz2uyFJHYS9WZdHdXgFg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sky1o5RbGiKvhuSMxBHuwylluEoaJOi13ZOfhYCQcggvrQXvaQq9mfRfvBt5iY9YXPcP6kWr8SidDR4dDvg8D+d6mjc2NpFtgt5WngXJO/xwGgwQebOe2NxUY7gZlPc7VHPhdKaONivUvTpv24NjNVJQC4npxtZ0SW1aheaH0+/hLV7fa22W3QLNIbdrmLsJHwc8ybrX57sxqXBd/tsqZL+3HRL2ZcytLnOFbQYCTQoTyL47SWSveV/wySul5wccS+28h4qosDZAVrv/aTN+cxpRAmhvwTcS3e7zlQeooh/PVToKk317RWTAgmBDwjxV6Lf4qADHDAonvIe96FgN4Q==

Hello,

 

Our PerfSONAR instances have been ticketed by our cybersecurity group for a number of vulnerabilities, and I'll need a little help to remediate.

 

To summarize these using psonar5.deemz.net (4.4.6-1.el7,  3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022 x86_64):

 

A. Cross Site Scripting (3 instances)

 

Proof URLs:

https://psonar5.deemz.net/esmond/perfsonar/archive/?format=json&measurement-agent=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x000004)%3C/scRipt%3E&pscheduler-http-url="134.79.235.226&pscheduler-test-type=http

 

https://psonar5.deemz.net/esmond/perfsonar/archive/?destination=134.79.235.226&source=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x000447)%3C/scRipt%3E

 

https://psonar5.deemz.net/esmond/perfsonar/archive/?format=json&measurement-agent=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x00088A)%3C/scRipt%3E&pscheduler-dns-query=198.49.208.18&pscheduler-test-type=dns

 

Vulnerability Details:

Invicti Enterprise detected Cross-site Scripting, which allows an attacker to execute a dynamic script (_javascript_, _vbscript_) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/_javascript_/_vbscript_ by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.  

 

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

               * Hijacking user's active session.

               * Mounting phishing attacks.

               * Intercepting data and performing man-in-the-middle attacks.

 

Remedy

The issue occurs because the browser interprets the input as active HTML, _javascript_ or _vbscript_. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a _javascript_ block within the HTML document, then output needs to be encoded accordingly.

 

B. Out-of-date Version (jQuery UI Autocomplete)

On https://psonar5.deemz.net/toolkit/js/jquery-ui/

 

Vulnerability Details

Invicti Enterprise identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.

 

Identified Version 1.11.4

Overall latest version 1.13.0

 

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

 

Remedy

Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.

 

C, Out-of-date Version (jQuery)

On https://psonar5.deemz.net/esmond/perfsonar/

 

Vulnerability Details

Invicti Enterprise identified the target web site is using jQuery and detected that it is out of date.

 

Identified Version 3.3.1

Overall latest version 3.6.0

 

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

 

Remedy

Please upgrade your installation of JQuery to the latest stable version.

 

D. Out-of-date Version (Bootstrap)

On psonar5.fnal.gov

 

Vulnerability Details

Invicti Enterprise identified the target web site is using Bootstrap and detected that it is out of date.

 

Identified Version 3.4.0

Latest Version 3.4.1 (in this branch)

Overall latest version 5.1.3

 

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

 

Remedy

Please upgrade your installation of Bootstrap to the latest stable version.

 

Thanks for any guidance,

Darryl

 

Darryl K. Wohlt

Senior Network Analyst

 

CCD/NCS/Network Services

Fermi National Accelerator Laboratory

P.O. Box 500, MS 368

Batavia, Illinois 60510

USA

 

630 840 2901 office

630 945 5687  mobile

www.fnal.gov

 


Archive powered by MHonArc 2.6.24.

Top of Page